mailing list archives
Information System Security Assessment Framework (ISSAF) Draft 0.1
From: "admoore () phreaker net" <admoore () phreaker net>
Date: Thu, 30 Dec 2004 21:55:52 +0530
Today, the evaluation of Information Systems (IS) security in accordance with business requirements is a vital
component of any organizations business strategy. While there are a few information security assessment standards,
methodologies and frameworks that talk about what areas of security must be considered, they do not contain specifics
on HOW and WHY existing security measures should be assessed, nor do they recommend controls to safeguard them.
The Information System Security Assessment Framework (ISSAF) is a peer reviewed structured framework that categorizes
information system security assessment into various domains & details specific evaluation or testing criteria for each
of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. ISSAF should
primarily be used to fulfill an organizations security assessment requirements and may additionally be used as a
reference for meeting other information security needs. ISSAF includes the crucial facet of security processes and,
their assessment and hardening to get a complete picture of the vulnerabilities that might exists.
The information in ISSAF is organized into well defined evaluation criteria, each of which has been reviewed by subject
matter experts in that domain. These evaluation criteria include:
A description of the evaluation criteria.
Its aims & objectives
The pre-requisites for conducting the evaluations
The process for the evaluation
Displays the expected results
References to external documents
A draft version of this framework is available at OISSG website at:
http://oissg.org/issaf01/issaf0.1.zip (5.59 MB) or http://oissg.org/issaf01/issaf0.1.pdf (12.6 MB)
The Information System Security Assessment Framework (ISSAF) is an evolving document that will be expanded, amended and
updated in future. To improve the usefulness of the future release of ISSAF, please take a moment to evaluate it. Your
feedback is invaluable to OISSG's efforts to fully serve the profession and future ISSAF releases. The feedback form is
given at the end of ISSAF; please email your feedback at feedback () oissg org We will get back to you ASAP.
Full-Disclosure - We believe in it.
- Information System Security Assessment Framework (ISSAF) Draft 0.1 admoore () phreaker net (Dec 31)